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visual documentations 



^corkdmi .com 



boring? 



• file formats were supposed to be safe 

o public specs 

o open-source parsers 

• {weirdness} == {exploits} ? 

• software = parse, sanitize, recover 



formats' diversity 1/2 

no header 

• COM (1982), MBR (1982) 
magic signature 

• none: DOL (2001) 

• 2: TIFF, PE 

• 4: most standard 

• >4: PNG, PDF 



formats' diversity 2/2 



start offset: 

• archives 

• range: PDF 

• mostly 0 

special properties 

• deprecated header: PE 

• variable scanning direction: PDF 

• multi-versions: BMP 

• scanned chunk: JPEG 

• no official names: ZIP 



Offset 


Size 


Field 


Description 


0 


2 


Machine 


The number that identifies the type of target 
machine, For more information, see section 3,3.1, 
"Machine Types." 


2 


2 


NumberOfSections 


The number of sections. This indicates the size of 
the section table, which immediately follows the 
headers. 


4 


4 


TimeDateStamp 


The low 32 bits of the number of seconds since 
00:00 January 1, 1970 (a C run-time time t value], 
that indicates when the file was created. 


8 


1 


PointerToSymbolTable 


The file offset of the COFF symbol table, or zero if 
no COFF symbol table is present This value should 
be zero for an image because COFF debugging 
information is deprecated. 


12 


4 


M u mberOfSy mbols 


The number of entries in the symbol table. This 
data can be used to locate the string table, which 
immediately follows the symbol table. This value 
should be zero for an image because COFF 
debugging information is deprecated. 


16 


2 


SizeOf Optional Header 


The size of the optional header, which is required 
for executable files but not for object files. This 
value should be zero for an object file, For a 
description of the header format, see section 3,4, 
"Optional Header [image Only) " 


IS 


2 


Characteristics 


The flags that indicate the attributes of the file. 
For specific flag values, see section 3,3.2, 
"Characteristics." 



struc H1AGE_FILE_HEADER 
.Machine resu 
.Number Of Secti ons resu 
.Ti meDateStamp resd 
.PointerToSymbolTable resd 
. NumberOf Symbol s resd 
. Si zeOfOpti onal Header resu 
.Characteristics resu 

endstruc 



istruc IMAGE_FILE_HEADER 
at IMflGE_FILE_HEflDER. Machine, 
at IMAGE_FILE_HEADER.NumberOfSections, 
at IMAGE_FILE_HEADER.Ti meDateStamp , 
at IMAGE_FILE_HEADER. Si zeOf Opti onal Header, 
at IMAGE_FILE_HEADER. Character i sti cs, 



i end 



du IMAGE_FILE_MACHINE_I386 
du NUMBEROFSECTIONS 

dd 04b51f 504h ; 2010/1/16 5:19pm 

du 5IZE0F0PTI0NALHEADER 
du IMAGE_FILE_RELOCS_STRIPPED | 
IMAGE_FILE_EXECUTABLE_IMAGE | \ 
IMAGE_FILE_LINE_NUMS_STRIPPED | \ 
IMAGE_FILE_LOCAL_SYMS_STRIPPED | \ 
IMAGE FILE 32BIT MACHINE 



istruc IMAGE_FILE_HEADER 

at IMflGE_FILE_HEflDER. Machine, 

at IMAGE_FILE_HEfiDER. Number Of Sect i ons, 

at IMflGE_FILE_HERDER . T i meDateStamp, 

at IMflGE_FILE_HEflDER.PointerToSymbol Table 

at IMAGE_FILE_HEADER.NumberOfSymbols, 

at IMflGE_FILE_HEflDER. Si zeOf Opti onal Header 

at IMAGE_FILE_HEADER. Character i sti cs, 

i end 



du Bxffff 

du Bxffff 

dd Bxffffffff 

dd Bxffffffff 

dd Bxffffffff 

du SIZEOFOPTIONflLHEflDER 

du Bxffff 
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^ emptyX.pdf - Adobe Reader 
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Edit 


View Window 


Help 
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/ 1 




2337% 








S 




Tools 


Sign I Comm 



sal demo 



>e _lf an e u09 000000h . e xe 
* A PE with elfanew set to 09000000b 



>du -h e_lfar.eu09000000h.exe 
144M e_lfaneu09000000h.exe 



E CFF Explorer VII - jejfan 




File Settings 




Ifanew09000000h.exe 



Ep] QRIe: e_lfanew0900000tti exe 

— lJ] Dos Header 



B l=J Nt Headers 
— (I] Rle Header 



lp ±1 Optional Header 
— ±1 Data Directories 



i_=J Section Headers rjt] 

Q Import Directory 
k . . . ~ 





1 Member 


Off&et 


Size 


Value 










00000034 


Word 


0000 










00000036 


Word 


0000 










00000038 


Word 


0000 










0000003A 


Word 


0000 








ejfanew 


0000003 C 


Dword 


09000000 




I! 















quine (relay) 



>ver 

Microsoft windows [version 6.1.7601] 
>shalsum relay.exe 

C46307a2faec73902bc70e0d7e89a2f412935eb9 *relay .exe 
>relay.exe > relay. asm 
>yasnn -o relay relay, asm 
>5halsum relay 

If6594a24e593e32b490c83d4112c9ca7237a553 *relay 



dev@nux : ~$ uname 




Linux 




dev@nux:~$ shalsun relay 




lf6594a24e593e32b490c83d4112c9ca7237aS53 


relay 


dev@nux:'-$ ./relay > relay. asm 




dev@nux:~$ yasn -o relay.exe relay. asm 




dev@nux:~$ shalsum relay.exe 




c46397a2faec739O2b<:7Ge0d7e39a2f412935eb9 


relay.exe 



polyglot 



Offset 



0 



8 



A E C D 



OOOOOOOO 47 49 46 33 39 61 2F 2A 

00000010 00 00 2F 2A OA 00 00 02 

00000020 6C 65 72 74 23 22 43 65 

00000030 64 5C 6E 23 66 72 6F 6D 

00000040 69 6C 65 29 22 29 3B 



OA 00 00 FF 00 2C 00 00 
00 3B 2A 2F 3D 31 3B 61 
6C 6C 6F 20 57 6F 72 6C 
20 61 20 47 49 46 20 66 



Ascii 



GIF89a/* ,.. <-Format data 

../* ;*/=l;a <-Format data 

lert ("Hello. WoeI <-Foreign data 
d\n(f Eom. a. GIF. f 
ile)"); 



For. 



V 



Q gifjs.html 

0 vi ew- sourc e:f i I e:///S:/gi f/gi fjs.htm I 



1 <htmlxtoody> 

2 <irng src:= rr CTifis.cTif rr > 

3 Ocript src=" crifis.crif "></script> 

4 </bodyx/html> 



gifjs.html 



X Q file:///sygif/gifjs.html 



^ JavaScript Alert 



S3 



Hello World 
(from a GIF file] 



OK 



>corkamix . exe 

CorkaMIX [PE] 

>jaua -jar corkamix.exe 

CorkaMIX [Java CLASS in JAR] 



>cmp -b corkamix.exe corkamix_lb.exe 
cup: EOF on corkamix.exe 

>pytlion corkanix_ib.exe 
CorkaMIX [python] 

>copy corkamix.exe corkamix.html 
i file<s> copied. 



corkamix.exe - Adobe Reader 



lile Edit View Window Help 



1 / 1 



23.8% 



Tool 




CorkaMIX [PDF] 




corkamix.html 



7\ 



□ 



(T JavaScript Alert 



CorkaMIX [HTML+JavaScript] 



OK 



V 



db ■nz" 
; [---] 

db ■spdf-I. 1 , Bah 

rJb "obj^^ stream" , Bah 



db " <nnnil > " 
; [---] 

at INflGE_NT_HERDER5. Signature, db TE'.B.B 

; [--.] 

db Bfh, 9181, l l lb « 3 
push rnsg 

call [ imp printfj 

sale 

; [---] 
header: 

db ' PK ' , 3, 4 

du Bah ; version_needed 

; [--■] 



_dd BCHFEBRBEh 
did 3 



_diii 2dh 
: [--■] 



signature 
major version 
minor version 



_dd ? ; length of bytecode 
QETSTRTIC 8 
LDC 14 

INVOKEVIRTURL \i 
RETURN 

_diii : ; except ionscount 
du B ; attributes count 



: [--■] 



o o o 



* corkamosx.pdf fl page) 



ED 



» 



1 



I demo 



$ nasm -o corkamosx mosx.asm 

% java -jar corkamosx 

CorkaM-OsJC [Java] 

$ chmod +x corkamosx 

% . /corkamosx 

CorkaM-osx 

$ cp corkamosx corkamosx.html 
$ open cor karoos x . hLml 
S cp corkamosx corkamosx.pdf 
$ open corkamosx.pdf 

? D 




JavaScript 

CorkaM-OiiX ! HTML-JavaScript I 



nrkaM -OsX fPDFl 



If 



OK 





The file being studied is a Portable Executable file! More specifically, it is a PDF file for the Windows GUI subsystem. 



f™ pocorgtfo02.pdf - SumatraPDF 



(=1 23 



I 13 I 



File View Go To Zoom Favorites Settings Help 



* | P^e: | T/32 + £> | H DjjJ J 3 P I Find: 



Children's Bible Coloring Book of PoC || GTFO 
[;--:n' ;!xL>2. i'j]] Kpisi ]■• tti ~ I l i ■ -WW :j ('"( '( ' c '■:>]]:j.l , '-v.- i;. L J . ■ 1 1 ■ 1 • 1 1 1 

Composed by the Rt, Rev<|. Fustin Maiml LiijihiimU; m [mr i^'tiiis^ hi-finr ptslitu*. 
;^Lif #r tour 'jLa rij 



denrto - qemu-system-iBSG -fd-a pocorgtfo02.pdf 



>qemu-system— 1386 — f da pocor-gtf 002 .pdf 




Antivirus scan for39e565 



I <- -> C Q https://www.virustotal.com/en/file/f427e8d95c0acl 



E 


Community Statistics 


Documentation 


FAQ 


About 


© File identification 



M05 
SHA1 
SHA256 
ssdeep 
File size 
File type 
Magic literal 
TrlD 
Tags 

VirusTotal metadata 



39e5E58e24a08e786955af1f4d7e2852 

2434«76e2d3a4dcd36dOada363e3a9ed59272(B0 

f427e8d95c0ac15abe61d96fb75cfb55dflfd5ac9e713 

39321E::VBwNFodCfQD/l+pEfNlcY/hS2L1dUWFF1) 

13.5 MB ( 14109425 bytes ) 

PDF 

x8G boot sector 
Unknown! 



2013-12-28 20:54:41 UTC ( 1 day. 12 hours ago ) 
2013-12-28 20:54:41 UTC ( 1 day. 12 hours ago ) 
pocorgtfoQ2.pdf 
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I _ S Sill \ \ 
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I / / \ /I / 

Berliner Spargel Operating System 

flein Deutsch is nicht so gut, aber es ist Spargel zeit! 
by Travis Goodspeed 



— Memory Uieuier 

— About 



This is a minimal operating system by Travis Goodspeed for 16-bit Real 
Mode 8086 on an IBM PC. It was written in order to learn about the 
8086, and it quite likely uill serve no use for you. It is free 
without any strings attachedj but please give credit were credit is 
due if you fork it. 

filsoj and this is very important, you should use the included hex viewer 
to poke around this machine's memory. The boot sector at 0000:7CO00 
is likely a good place to start. 

Press the 'any' key to continue. 



schizophren 



fitf 44con-albertini.pdf - SumaitraPDF 
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Ange Albertini 



44 Adobe Reader 



■'' D 44con-albertini.pdf *\j 



<- G D file:///5:/44con-albertini.pdf 



ANGE WORLD TIME 

C6G250 ^19 1-4 237 



THANK VOU ADOBE * 



BUT OUR DOCUMENT IS 
IN ANOTHER VIEWER t 



A III! [ I 

SEffiraHHSH 



Adobe Reader could not open '44con-albertini.pdf because it is either not a 
supported file type or because thefile has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded). 



OK 



misc 



00000000 

00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 
00000090 
000000 A 0 
000000B0 
000000C0 
000000D0 
000000E0 
000000F0 
00000100 
00000110 
00000120 
00000130 
00000140 
000001 50 
00000160 
00000170 
00000180 
00000190 
000001 A 0 
000001 B0 
000001 C0 
000001 D0 
000001 E0 
000001 F0 
00000200 
00000210 
00000220 
00000230 
00000240 
00000250 
00000260 
00000270 
00000280 
00000290 
000002 A 0 
000002 B0 
000002 C0 
000002 D0 
000002 E0 
000002 F0 
00000300 
00000310 
00000320 
00000330 
00000340 
00000350 
00000360 
00000370 
00000380 
00000390 
000003 A 0 
000003 B0 
000003 C0 
000003 D0 
000003 E0 
000003 F0 



4D 5fi 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
50 45 00 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 

00 20 00 

FF FF FF 
0E 0E 0E 
2fi 10 00 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 

00 00 00 
00 00 -oa 

BE 0H S3 
0E 0E 
00 IB 
0E 0B 
0E 0fl 
0E 0fl 
0E 0S 
0E 0B 
0E 0E 
0E 0E -orr 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
68 16 10 
FF 15 85 
6E 27 20 
0E 0E 0E 
0E 0E 0E 
00 00 0E 
0E 0E 00 
78 69 
6E 74 

00 00 00 

6C 00 6D 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 



0E 0E 
0E 0E 
0E 0E 
0E 0E 
00 4C 
0E E0 
0E 0E 
0E 00 
0E 0E 
00 60 
00 FF 
0E 0E 
00 0E 
0E 0E 
0E 0E 
0E 0E 
00 0E 

ran rac 



0E 0E 
0E 0E 
0E 0E 

0E 0E 

01 01 
00 0E 

0E 0E 

00 40 

0E 0E 

01 00 
IF 00 

0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 



0E!0E 
0ES0E 
0E!0E 
0E!0E 
00S0E 
DF !0B 
0E!00 
00!00 
0E!04 
00!0E 
00 IFF 
0E!0E 
0E!00 
0E!0E 
0E!0E 
0E!0E 
0E!00 

ratr ■ rara 



0E 0E 0E 

0E 0E 0E 

0E 0E 0E 

0E 0E 0E 

0E 0E 0E 

01 0E 0E 

10 00 00 

10 00 00 

00 0E 0E 

0E 0E 0E 

FF FF 00 

0E 0E 0E 

00 00 00 

0E 0E 0E 

0E 0E 0E 

0E 0E 0E 

00 00 00 

OSA QO QQ. 



rockirT 



>rocking.exe 
* a rockin' PE ;> 



(D 



0E 
0E 
0E 
40 
0E 
0E 
0E 

00 

0E 
03 
FF 
0E 
0E 
0E 

00 

0E 
0E 



0E 
0E 
0E 
00 
0E 
0E 
0E 
02 
0E 
00 
IF 
0E 
0E 
0E 
00 
0E 
0E 



E 



45 

69 



0E 0E 
0E 0E 
0E 0E 
0E 0E 
40 00 
10 40 
50 45 
0E 0E 
0E 0E 
0E 0E 
00 00 
74 50 
66 00 
00 00 
73 76 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 



UE HE 

0E 0E 
0E 0E 
0E 0E 
0E 0E 
FF 15 
00 20 
20 3B 
0E 95 
0E 0E 
0E 0E 
00 6E 
72 6F 
6E 10 
6B 65 
63 72 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 



tJE 1 UE 

0E!0E 
0E!0E 
0ES0E 
0ES0E 
8D!10 
2ft !20 
29 !0ft 
10:00 
0ES0E 
0E!0E 
10:00 
63 !65 
00:00 
72 !6E 
74!2E 
0ES0E 
0ES0E 
0ES0E 
0ES0E 
0ES0E 
0ES0E 
0E!0E 
0ES0E 
0ES0E 
0E!0E 
0ES0E 
0ES0E 
0E!0E 
0E!0E 
0E!0E 
0ES0E 
0E!0E 
0E!0E 
0E!0E 
0E!0E 
0E!0E 



UE HE 

0E 0E 
0E 0E 
0E 0E 
0E 0E 
40 00 
61 20 
00 66 
00 85 
0E ft2 
0E 0E 
00 00 
73 73 
FF FF 
65 6C 
64 6C 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 



83 
72 



UE VIC ul! 

0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
C4 04 
6F 63 
10 00 00 
10 00 00 

10 00 00 

0E 0E 0E 

00 00 00 

00 0E 0E 
FF FF 7C 
33 32 2E 
6C 00 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 
0E 0E 0E 



0E 0E 
0E 0E 
0E 0E 
00 00 
0E 0E 
0E 0E 
0E 0E 
00 00 
0E 0E 
7F EF 
00 00 
0E 0E 
0E 0E 
0E 0E 
00 00 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
00 00 
FF FF 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
6ft 00 
6B 69 
0E 0E 
0E 0E 
8D 10 
0E 0E 
0E 0E 
70 72 
10 00 
64 6C 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 
0E 0E 



nzmmmnmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmm 
pe Los mmmmm 
mwma fmrnmrnm 
mmmmm ► mm 
mm e ► o 
mmmmm* mmmm 
*s mm** 

T T 

mmmmmmmmmm 
*► mm mm 
mmmmmmmm 
mmmmmm 
mmmmmmmm 
mm mm 
mm mm 
mmmm mm 
mmmmmmmm 
► ►00 
mmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 
mmmmmmmm 

§aM? * a rocki 
n' PE ;>B m 

mmmb^ m 
mmmmmo^ s> 
mmmmmmmm 
m m 

ExitProcess fJflpr 
intf nK !►■ 

kerne 132 . dl 
1 msucrt.dll mm 

mmmmmmnmmmm 
mmmmmmmmmm 
mmmmmmmmm 
mmmmnmmmn 
mmmmmmmmm 
mmmmmmmmm 
mmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmm 
mmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 
mmmmmmmmmm 



128, 217, 
128, 38, 




%macro _beep 6 

times DURATION db 128, 217, 255, 217, 128, 38, 1, 38 
%endmacro 

%macro _si 1 ence 6 

times DURATION * 8 db 128 
%endmacro 

%macro _dot 0 

_beep 
_si 1 ence 
%endmacro 



%macro _e 0 

_dot 
%endmacro 




crypto-tology: 

for anything crypto, ask @veorq 

(coz he's awesome) 




THE ADOBE LOGO, ENCRYPTED WITH 3DES IN ECB MODE 
(THE SAME ALGORITHM THEY USE TO STORE PASSWORDS) 




WITH KEY = , \XE3#X\XAD\X05\XA0\X87\X8B\X1A\X83\XE8VXCA\X1D\XB8=n' 

AfiY RAW IMAGE WILL EMCRYPT AS A RAW IMAGE I 



ENCRYPTION AGNOSTIC ? 

IDEMPOTENT ? 
CRYPTO-QUIME ? 
ENDOMORPHISM ? 



-> "AMGECRYPTIOM" !!! 



PLAINTEXT BLOCKS 



IV 



CIPHERTEXT BLOCKS 

DEC 

ki 




C1 = ENCJP1 " IV) 

:d - pi * iv 

IV - DEQO " P1 



COMTEMTS 

PNG SJGMATURE 89 .P . N .G Qd 9a la 0a 

STARTING A DUriW CHUNK .. xx xx xx xx tt tt tt tt 

CWIK LENGTH CHUNK TYPE 

ENDING DUMMY CHUNK yy yy yy yy 

CHUNK CJ?C 

STARTING CONTROLLED DATA . . ee m 00 0d .1 .H . D . R 

END OF IMAGE ,,,00 00 00 00 .1 ,E , N , D RE 42 60 82 





March 1, 2014 



Archive: pocorgtfo03.pdf 

warning [pacorgtfo03.pdf]: 12224072 extra bytes at beginning or within zipfile 



(attempting to process anyway) 



Length 


EAS 


ACLS 


Date 


Time 


Name 


2561 


0 


0 


02/10/14 


06 


23 


alexander.txt 


7848 


0 


0 


02/08/14 


20 


20 


bochs-2 .6.2 . patch 


6135 


0 


0 


02/08/14 


20 


21 


bochs-20140203. patch 


7248 


0 


0 


02/09/14 


08 


35 


defusi ng .zi p 


4830 


0 


0 


12/01/13 


15 


48 


despai r.txt 


14892 


0 


0 


11/27/13 


19 


03 


1 asta. txt 


26325 


0 


0 


02/07/14 


21 


06 


1 astq.txt 


473449 


0 


0 


02/07/14 


21 


06 


netwatch-337f8bl. tar.gz 


131930 


0 


0 


02/24/14 


20 


32 


nokiaci pher . png 


14645 


0 


0 


02/17/14 


18 


52 


packed 


2129 


0 


0 


02/07/14 


21 


06 


saucers .txt 


3144 


0 


0 


02/07/14 


21 


06 


tamadec . txt 


6227 


0 


0 


02/07/14 


21 


06 


tetranglix.tar.bz2 


14109425 


0 


0 


02/07/14 


21 


06 


pocorgtfo02 . pdf 


322 


0 


0 


03/03/14 


01 


28 


pocorgtfo03-encrypt . py 



14811110 0 0 



15 files 



FILE JPEG PDF 



BB: ff d8 

62: (ff s6l'<£\ze.i6? (contents 

14: ff fe <s1ze.l6> 

+4: sPDF-l.E 

999 0 obj 

<<>> 

stream 



'Start of image' n/WE£ 

"APPC1" MARKER [fiEQUfiED HEADER) 
"CQMlW MARKER 
COMMENT COrtT'EHT 



PDF SIGHATUHE 

STARTING A DUMMY SINARY OBJECT 



endstream 
endobj 



xx+14: «PDF-1.S ... 



(OTHER MASKERS. ORIGrflAL JPEG DATAL. 
"END OF IMAGE" MARKER 



CLOariG THE DUMMY OBJECT 

OftlGJIAL PDF CONTENTS MULTIPLE SGI1AIUf.ES ARE ISMOPEM 
'REPLACED WHH 00 00 TO BYPASS ADOBE FILTER 





/VigeGrijption-. getting valid files after encryption 

1 CONTROLLING FIRST ENCRYPTED BLOCK 



CpherBlockCh.' 
puktte3ct blocks pi 



CIPHERTEXT BLOCKS CI 

C1-ENCJP1*IV! 
DECO)-P1"IV 

IV -DEC (CD "P1 

EXAm£ (WITH rtESI 

KE'" Ty_aun_tey_l?345 

V:«f ed ec Ic n Ac 5f Le Si 19 -ik 39 Bi ef tV f6 
BtCW-fS\ITf00MV'B9 PNSBd On U Ba 68 89 88 fld HCf 



2 CONTROLLING ENDING ENCRYPTED BLOCKS 

(21 

"EMC (A) - ■ 



3 SKIPPING UflCOMTROLLED BLOCKS 



(1) 



CONTENTS 

PNG S&dATUSE 99 ,P ,N .S fld Ba 
STARTING A rjurvrr CHUNK 



(2) 



ENDING QUIW CHU1K yLj yy yy Ljij 
STARTING CONTROLLED DATA B 



.1 . E .14' . D HE 42 40 B2 



°DEC(f)-S 
=>"EriC(fl) - 1 



ANGE ALBERTINI 
we help of JEAN-PHILIPPE AUrlASSON 



+ DECOY KEY 

+ REAL KEY => 



tyc testljpg ■ IrfsnView 



(s) S3 



File Edit Image Options View Help 




/ 



359x359x24 BPP 2/2 100% 98,36 KB / 378,67 KB 2/11/20: 



^t; testQ.jpg - IrfanVie-w 
File Edit Image Options View Hdp 


.=.1=1 S3 


RSA 


S EC U R 1 

375 x 272 x 24 BPP 1/2 100% 9836 KB f299& 


TY 

j KB 2/11/2014, 



>crypto_hash * 

test0.jpg 13990732b0dl6c3ell2f2356bd3d0dadl 

testl.jpg 13990732b0dl6c3ell2f2356bd3d0dadl 



conclusion 
on binary formats 



On binary formats 

• specs far from perfect 

• plenty of fun 

• many consequences for infosec 

o unforeseen attack channels 
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